Aaron’s Law Introduced: Now Is the Time to Reform the CFAA

Today, Reps. Zoe Lofgren and Jim Sensenbrenner, and Sen. Ron Wyden introduced Aaron’s Law, a bipartisan bill to reform the Computer Fraud and Abuse Act (CFAA), the law notoriously used in the aggressive prosecution of the late Aaron Swartz. Lofgren and Sensenbrenner's bill draws from EFF’s own proposal written in the wake of Aaron’s tragic death and fixes some of the main problems with the CFAA. You can tell your representative to support common sense changes to the CFAA by going here.

For years, the CFAA has been widely abused by the prosecutors to hamper security research, stifle innovation, and lock people away for years who have caused little or no economic harm. The CFAA was originally intended to cover the hacking of defense department and bank computers, but it's been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. We’ve written extensively about the need for CFAA reform and Aaron’s Law is a great first step.

First, Lofgren and Sensenbrenner's bill deletes the vague phrase “exceeds authorized access” and clarifies the definition of “access without authorization,” key fixes in a law that has for years been misinterpreted because of its vague definitions. By fixing these definitions, the bill incorporates judgments from the Fourth and Ninth circuits, which held that access in violation of private contracts, like employer agreements and terms of service, are not criminal offenses under the CFAA.

This is a great step forward. The Department of Justice has aggressively argued for an interpretation of the law that would criminalize website terms of service violations. As the Ninth Circuit court explained, under the DOJ’s dangerous—and incorrect—interpretation, “posting for sale an item prohibited by Craigslist's policy, or describing yourself as ‘tall, dark and handsome’ when you're actually short and homely, will earn you a handsome orange jumpsuit.”

Without this change, the government could've prosecuted everyday Americans for violating low-level terms of service violations, like accessing your friend's Facebook page, or, for a time, reading Seventeen Magazine when you are under 18 years old. In short, everyone would be a criminal, leaving it up to the government to decide when and where to bring down the hammer.

The bill also addresses provisions that have allowed the Justice Department to use the statute too aggressively by deleting one of the CFAA's redundant clauses and lowering its penalties in specific situations. Both are crucial factors that lead to overzealous persecutions like the ones seen in Andrew ‘Weev’ Auernheimer and Swartz's cases, where multiple felony counts were stacked on top of each other for the same underlying action and where both defendants faced decades in jail for “crimes” that caused little or no economic harm.

While Aaron’s law is clearly an improvement, it is important to point out that it’s far from perfect. We would have liked to see an additional redundant provision cut from the CFAA and more penalty reductions to the draconian scheme currently in the CFAA—notably, the bill sensibly removed the ability to bootstrap penalties in one clause, but not three others.

In order to protect security researchers, innovators and ordinary citizens who take measures to protect their privacy, we have also asked (PDF) for a clause that would clarify that your efforts to mask or hide your real name, personally identifiable information or device identifier—like IP address or MAC address – are not criminal in and of themselves.

But common sense changes to the CFAA are needed to update the law and make it in-line with recent court rulings, and this bill is a great start. Now it's time for Congress act. Tell your representatives to support common sense changes to CFAA reform.

Related Updates

Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the...

When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

On January 18, 2012, the Internet went dark. Hundreds of websites went black in protest of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). The bills would have created a “blacklist” of censored websites based on accusations of copyright infringement. SOPA was en route to quietly...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

Laws enacted out of fear, not facts, are a recipe for disaster. That’s what happened with the Computer Fraud and Abuse Act (CFAA)—the federal statute that makes it illegal to break into computer systems to access or alter information. The law’s notoriously vague language has confused courts, chilled...

This weekend you have the chance to add to Aaron Swartz’s legacy by boosting tools for whistleblowers. The 2016 Aaron Swartz International Hackathon—held in honor of the late Internet and political activist—will take place during the day Saturday and Sunday at the Internet Archive in San Francisco. The hackathon...

The Internet has been on fire in recent months over two court decisions that threaten to criminalize password sharing. The law at the heart of the cases is the Computer Fraud and Abuse Act (CFAA), a 1986 statute meant to outlaw computer break-ins. Congress passed the CFAA after...

Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don’t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like ...